Barracuda Networks is urging organizations with Email Security Gateway appliances impacted by a remote command injection bug in the devices to replace them, even if they were patched.
The company’s recommendation comes after Barracuda was first alerted to anomalous traffic coming from Email Security Gateway (ESG) appliances on May 18, which prompted the company to begin an investigation with the help of cybersecurity firm Mandiant.
This week, Barracuda updated its notice, urging customers with impacted ESG appliances to replace them regardless of their patch version level.
“Barracuda’s remediation recommendation at this time is full replacement of the impacted ESG,” the company says in its advisory.
According to the advisory, Barracuda identified a remote command injection vulnerability in their ESG appliance one day after discovering the “anomalous traffic” and engaging Mandiant. A patch was released a day after that on May 20, but the patch is apparently not enough to prevent compromise of the affected devices.
The company is also releasing a “series of security patches” to all appliances.
Exploitation for 10 months
Alarmingly, Barracuda and other cybersecurity firms say exploitation of these ESG appliances has been discovered to date back to fall 2022, specifically October 2022.
According to Barracuda, the vulnerability existed in a module which initially screens attachments of incoming emails. The bug has been leveraged to obtain unauthorized access to a subset of ESG appliances, and malware was identified on a subset of appliances to give attackers a backdoor.
Evidence of data exfiltration was also identified, the company says.
The company notified users with impacted appliances to take action, but “additional customers may be identified in the course of the investigation,” the firm says.
About the vulnerability and malware
According to Barracuda, the vulnerability, CVE-2023-2868, stems from “incomplete input validation of user supplied .tar files as it pertains to the names of files contained within the archive.”
This allows a remote attacker to format file names in a particular manner that would result in “remotely executing a system command through Perl’s qx operator with the privileges of the Email Security Gateway product,” the company says.
Barracuda also identified three malware strains that make the backdoor possible.
Recommendations
Barracuda is recommending that organizations with ESG appliances ensure that the devices are receiving and applying updates and security patches, but the company is of course also recommending that organizations discontinue the use of compromised ESG appliances and contact the company’s support to obtain a new ESG virtual or hardware appliances.
In addition, organizations should rotate any applicable credentials connected to the ESG appliance, including:
- Any connected LDAP/AD
- Barracuda Cloud Control
- FTP Server
- SMB
- Any private TLS certificates
Organizations should also review their network logs for any of the indicators of compromise listed in Barracuda’s advisory. They should contact [email protected] if any are identified, the firm says.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!